From: Glenn Strauss Date: Thu, 20 Oct 2022 20:22:01 +0000 (-0400) Subject: libmbedtls: build option submenu X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=602a76ed65e51fa4f10f50dbeda821741f2bdbab;p=openwrt%2Fstaging%2Fsvanheule.git libmbedtls: build option submenu menuconfig libmbedtls build option submenu Signed-off-by: Glenn Strauss --- diff --git a/package/libs/mbedtls/Config.in b/package/libs/mbedtls/Config.in new file mode 100644 index 0000000000..58843d08ce --- /dev/null +++ b/package/libs/mbedtls/Config.in @@ -0,0 +1,193 @@ +if PACKAGE_libmbedtls + +comment "Option details in source code: include/mbedtls/mbedtls_config.h" + +comment "Ciphers - unselect old or less-used ciphers to reduce binary size" + +config MBEDTLS_AES_C + bool "MBEDTLS_AES_C" + default y + +config MBEDTLS_CAMELLIA_C + bool "MBEDTLS_CAMELLIA_C" + default n + +config MBEDTLS_CCM_C + bool "MBEDTLS_CCM_C" + default n + +config MBEDTLS_CMAC_C + bool "MBEDTLS_CMAC_C" + default n + +config MBEDTLS_DES_C + bool "MBEDTLS_DES_C" + default n + +config MBEDTLS_GCM_C + bool "MBEDTLS_GCM_C" + default y + +config MBEDTLS_NIST_KW_C + bool "MBEDTLS_NIST_KW_C" + default n + +config MBEDTLS_RIPEMD160_C + bool "MBEDTLS_RIPEMD160_C" + default n + +config MBEDTLS_XTEA_C + bool "MBEDTLS_XTEA_C" + default n + +config MBEDTLS_RSA_NO_CRT + bool "MBEDTLS_RSA_NO_CRT" + default y + +config MBEDTLS_KEY_EXCHANGE_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_PSK_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" + default y + +config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED" + default n + +config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + bool "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED" + default n + +comment "Curves - unselect old or less-used curves to reduce binary size" + +config MBEDTLS_ECP_DP_SECP192R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP192R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP224R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP224R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP256R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP256R1_ENABLED" + default y + +config MBEDTLS_ECP_DP_SECP384R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP384R1_ENABLED" + default y + +config MBEDTLS_ECP_DP_SECP521R1_ENABLED + bool "MBEDTLS_ECP_DP_SECP521R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP192K1_ENABLED + bool "MBEDTLS_ECP_DP_SECP192K1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP224K1_ENABLED + bool "MBEDTLS_ECP_DP_SECP224K1_ENABLED" + default n + +config MBEDTLS_ECP_DP_SECP256K1_ENABLED + bool "MBEDTLS_ECP_DP_SECP256K1_ENABLED" + default y + +config MBEDTLS_ECP_DP_BP256R1_ENABLED + bool "MBEDTLS_ECP_DP_BP256R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_BP384R1_ENABLED + bool "MBEDTLS_ECP_DP_BP384R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_BP512R1_ENABLED + bool "MBEDTLS_ECP_DP_BP512R1_ENABLED" + default n + +config MBEDTLS_ECP_DP_CURVE25519_ENABLED + bool "MBEDTLS_ECP_DP_CURVE25519_ENABLED" + default y + +config MBEDTLS_ECP_DP_CURVE448_ENABLED + bool "MBEDTLS_ECP_DP_CURVE448_ENABLED" + default n + +comment "Build Options - unselect features to reduce binary size" + +config MBEDTLS_CERTS_C + bool "MBEDTLS_CERTS_C" + default n + +config MBEDTLS_CIPHER_MODE_OFB + bool "MBEDTLS_CIPHER_MODE_OFB" + default n + +config MBEDTLS_CIPHER_MODE_XTS + bool "MBEDTLS_CIPHER_MODE_XTS" + default n + +config MBEDTLS_DEBUG_C + bool "MBEDTLS_DEBUG_C" + default n + +config MBEDTLS_HKDF_C + bool "MBEDTLS_HKDF_C" + default n + +config MBEDTLS_PLATFORM_C + bool "MBEDTLS_PLATFORM_C" + default n + +config MBEDTLS_SELF_TEST + bool "MBEDTLS_SELF_TEST" + default n + +config MBEDTLS_SSL_TRUNCATED_HMAC + bool "MBEDTLS_SSL_TRUNCATED_HMAC" + default n + +config MBEDTLS_VERSION_C + bool "MBEDTLS_VERSION_C" + default n + +config MBEDTLS_VERSION_FEATURES + bool "MBEDTLS_VERSION_FEATURES" + default n + +comment "Build Options" + +config MBEDTLS_ENTROPY_FORCE_SHA256 + bool "MBEDTLS_ENTROPY_FORCE_SHA256" + default y + +config MBEDTLS_SSL_RENEGOTIATION + bool "MBEDTLS_SSL_RENEGOTIATION" + default n + +endif diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile index 701d338a2c..a489f56755 100644 --- a/package/libs/mbedtls/Makefile +++ b/package/libs/mbedtls/Makefile @@ -20,9 +20,60 @@ PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE_FILES:=gpl-2.0.txt PKG_CPE_ID:=cpe:/a:arm:mbed_tls -PKG_CONFIG_DEPENDS := \ - CONFIG_LIBMBEDTLS_DEBUG_C \ - CONFIG_LIBMBEDTLS_HKDF_C +MBEDTLS_BUILD_OPTS_CURVES= \ + CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED \ + CONFIG_MBEDTLS_ECP_DP_CURVE448_ENABLED + +MBEDTLS_BUILD_OPTS_CIPHERS= \ + CONFIG_MBEDTLS_AES_C \ + CONFIG_MBEDTLS_CAMELLIA_C \ + CONFIG_MBEDTLS_CCM_C \ + CONFIG_MBEDTLS_CMAC_C \ + CONFIG_MBEDTLS_DES_C \ + CONFIG_MBEDTLS_GCM_C \ + CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED \ + CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \ + CONFIG_MBEDTLS_NIST_KW_C \ + CONFIG_MBEDTLS_RIPEMD160_C \ + CONFIG_MBEDTLS_RSA_NO_CRT \ + CONFIG_MBEDTLS_XTEA_C + +MBEDTLS_BUILD_OPTS= \ + $(MBEDTLS_BUILD_OPTS_CURVES) \ + $(MBEDTLS_BUILD_OPTS_CIPHERS) \ + CONFIG_MBEDTLS_CERTS_C \ + CONFIG_MBEDTLS_CIPHER_MODE_OFB \ + CONFIG_MBEDTLS_CIPHER_MODE_XTS \ + CONFIG_MBEDTLS_DEBUG_C \ + CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256 \ + CONFIG_MBEDTLS_HKDF_C \ + CONFIG_MBEDTLS_PLATFORM_C \ + CONFIG_MBEDTLS_SELF_TEST \ + CONFIG_MBEDTLS_SSL_RENEGOTIATION \ + CONFIG_MBEDTLS_SSL_TRUNCATED_HMAC \ + CONFIG_MBEDTLS_VERSION_C \ + CONFIG_MBEDTLS_VERSION_FEATURES + +PKG_CONFIG_DEPENDS := $(MBEDTLS_BUILD_OPTS) include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/cmake.mk @@ -44,28 +95,11 @@ $(call Package/mbedtls/Default) SUBMENU:=SSL TITLE+= (library) ABI_VERSION:=12 + MENU:=1 endef define Package/libmbedtls/config -config LIBMBEDTLS_DEBUG_C - depends on PACKAGE_libmbedtls - bool "Enable debug functions" - default n - help - This option enables mbedtls library's debug functions. - - It increases the uncompressed libmbedtls binary size - by around 60 KiB (for an ARMv5 platform). - - Usually, you don't need this, so don't select this if you're unsure. - -config LIBMBEDTLS_HKDF_C - depends on PACKAGE_libmbedtls - bool "Enable the HKDF algorithm (RFC 5869)" - default n - help - This option adds support for the Hashed Message Authentication Code - (HMAC)-based key derivation function (HKDF). + source "$(SOURCE)/Config.in" endef define Package/mbedtls-util @@ -97,26 +131,21 @@ CMAKE_OPTIONS += \ -DENABLE_PROGRAMS:Bool=ON define Build/Configure - $(Build/Configure/Default) - - awk 'BEGIN { rc = 1 } \ - /#define MBEDTLS_DEBUG_C/ { $$$$0 = "$(if $(CONFIG_LIBMBEDTLS_DEBUG_C),,// )#define MBEDTLS_DEBUG_C"; rc = 0 } \ - { print } \ - END { exit(rc) }' $(PKG_BUILD_DIR)/include/mbedtls/config.h \ - >$(PKG_BUILD_DIR)/include/mbedtls/config.h.new && \ - mv $(PKG_BUILD_DIR)/include/mbedtls/config.h.new $(PKG_BUILD_DIR)/include/mbedtls/config.h - - awk 'BEGIN { rc = 1 } \ - /#define MBEDTLS_HKDF_C/ { $$$$0 = "$(if $(CONFIG_LIBMBEDTLS_HKDF_C),,// )#define MBEDTLS_HKDF_C"; rc = 0 } \ - { print } \ - END { exit(rc) }' $(PKG_BUILD_DIR)/include/mbedtls/config.h \ - >$(PKG_BUILD_DIR)/include/mbedtls/config.h.new && \ - mv $(PKG_BUILD_DIR)/include/mbedtls/config.h.new $(PKG_BUILD_DIR)/include/mbedtls/config.h + $(call Build/Configure/Default) sed -i '/fuzz/d' $(PKG_BUILD_DIR)/programs/CMakeLists.txt sed -i '/test/d' $(PKG_BUILD_DIR)/programs/CMakeLists.txt endef +define Build/Prepare + $(call Build/Prepare/Default) + + $(foreach opt,$(MBEDTLS_BUILD_OPTS), + $(PKG_BUILD_DIR)/scripts/config.py \ + -f $(PKG_BUILD_DIR)/include/mbedtls/config.h \ + $(if $($(opt)),set,unset) $(patsubst CONFIG_%,%,$(opt))) +endef + define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include $(CP) $(PKG_INSTALL_DIR)/usr/include/mbedtls $(1)/usr/include/ diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch deleted file mode 100644 index 54d4cf431d..0000000000 --- a/package/libs/mbedtls/patches/200-config.patch +++ /dev/null @@ -1,228 +0,0 @@ ---- a/include/mbedtls/config.h -+++ b/include/mbedtls/config.h -@@ -670,14 +670,14 @@ - * - * Enable Output Feedback mode (OFB) for symmetric ciphers. - */ --#define MBEDTLS_CIPHER_MODE_OFB -+//#define MBEDTLS_CIPHER_MODE_OFB - - /** - * \def MBEDTLS_CIPHER_MODE_XTS - * - * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. - */ --#define MBEDTLS_CIPHER_MODE_XTS -+//#define MBEDTLS_CIPHER_MODE_XTS - - /** - * \def MBEDTLS_CIPHER_NULL_CIPHER -@@ -795,20 +795,20 @@ - * Comment macros to disable the curve and functions for it - */ - /* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */ --#define MBEDTLS_ECP_DP_SECP192R1_ENABLED --#define MBEDTLS_ECP_DP_SECP224R1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP192R1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP224R1_ENABLED - #define MBEDTLS_ECP_DP_SECP256R1_ENABLED - #define MBEDTLS_ECP_DP_SECP384R1_ENABLED --#define MBEDTLS_ECP_DP_SECP521R1_ENABLED --#define MBEDTLS_ECP_DP_SECP192K1_ENABLED --#define MBEDTLS_ECP_DP_SECP224K1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP521R1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP192K1_ENABLED -+//#define MBEDTLS_ECP_DP_SECP224K1_ENABLED - #define MBEDTLS_ECP_DP_SECP256K1_ENABLED --#define MBEDTLS_ECP_DP_BP256R1_ENABLED --#define MBEDTLS_ECP_DP_BP384R1_ENABLED --#define MBEDTLS_ECP_DP_BP512R1_ENABLED -+//#define MBEDTLS_ECP_DP_BP256R1_ENABLED -+//#define MBEDTLS_ECP_DP_BP384R1_ENABLED -+//#define MBEDTLS_ECP_DP_BP512R1_ENABLED - /* Montgomery curves (supporting ECP) */ - #define MBEDTLS_ECP_DP_CURVE25519_ENABLED --#define MBEDTLS_ECP_DP_CURVE448_ENABLED -+//#define MBEDTLS_ECP_DP_CURVE448_ENABLED - - /** - * \def MBEDTLS_ECP_NIST_OPTIM -@@ -961,7 +961,7 @@ - * See dhm.h for more details. - * - */ --#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -@@ -981,7 +981,7 @@ - * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA - */ --#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED -@@ -1006,7 +1006,7 @@ - * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA - * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA - */ --#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -@@ -1140,7 +1140,7 @@ - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 - */ --#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED -@@ -1164,7 +1164,7 @@ - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 - */ --#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED -+//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - - /** - * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED -@@ -1268,7 +1268,7 @@ - * This option is only useful if both MBEDTLS_SHA256_C and - * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used. - */ --//#define MBEDTLS_ENTROPY_FORCE_SHA256 -+#define MBEDTLS_ENTROPY_FORCE_SHA256 - - /** - * \def MBEDTLS_ENTROPY_NV_SEED -@@ -1483,14 +1483,14 @@ - * Uncomment this macro to disable the use of CRT in RSA. - * - */ --//#define MBEDTLS_RSA_NO_CRT -+#define MBEDTLS_RSA_NO_CRT - - /** - * \def MBEDTLS_SELF_TEST - * - * Enable the checkup functions (*_self_test). - */ --#define MBEDTLS_SELF_TEST -+//#define MBEDTLS_SELF_TEST - - /** - * \def MBEDTLS_SHA256_SMALLER -@@ -1761,7 +1761,7 @@ - * configuration of this extension). - * - */ --#define MBEDTLS_SSL_RENEGOTIATION -+//#define MBEDTLS_SSL_RENEGOTIATION - - /** - * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO -@@ -2022,7 +2022,7 @@ - * - * Comment this macro to disable support for truncated HMAC in SSL - */ --#define MBEDTLS_SSL_TRUNCATED_HMAC -+//#define MBEDTLS_SSL_TRUNCATED_HMAC - - /** - * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT -@@ -2201,7 +2201,7 @@ - * - * Comment this to disable run-time checking and save ROM space - */ --#define MBEDTLS_VERSION_FEATURES -+//#define MBEDTLS_VERSION_FEATURES - - /** - * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 -@@ -2550,7 +2550,7 @@ - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 - */ --#define MBEDTLS_CAMELLIA_C -+//#define MBEDTLS_CAMELLIA_C - - /** - * \def MBEDTLS_ARIA_C -@@ -2616,7 +2616,7 @@ - * This module enables the AES-CCM ciphersuites, if other requisites are - * enabled as well. - */ --#define MBEDTLS_CCM_C -+//#define MBEDTLS_CCM_C - - /** - * \def MBEDTLS_CERTS_C -@@ -2628,7 +2628,7 @@ - * - * This module is used for testing (ssl_client/server). - */ --#define MBEDTLS_CERTS_C -+//#define MBEDTLS_CERTS_C - - /** - * \def MBEDTLS_CHACHA20_C -@@ -2741,7 +2741,7 @@ - * \warning DES is considered a weak cipher and its use constitutes a - * security risk. We recommend considering stronger ciphers instead. - */ --#define MBEDTLS_DES_C -+//#define MBEDTLS_DES_C - - /** - * \def MBEDTLS_DHM_C -@@ -2906,7 +2906,7 @@ - * This module adds support for the Hashed Message Authentication Code - * (HMAC)-based key derivation function (HKDF). - */ --#define MBEDTLS_HKDF_C -+//#define MBEDTLS_HKDF_C - - /** - * \def MBEDTLS_HMAC_DRBG_C -@@ -3219,7 +3219,7 @@ - * - * This module enables abstraction of common (libc) functions. - */ --#define MBEDTLS_PLATFORM_C -+//#define MBEDTLS_PLATFORM_C - - /** - * \def MBEDTLS_POLY1305_C -@@ -3295,7 +3295,7 @@ - * Caller: library/md.c - * - */ --#define MBEDTLS_RIPEMD160_C -+//#define MBEDTLS_RIPEMD160_C - - /** - * \def MBEDTLS_RSA_C -@@ -3506,7 +3506,7 @@ - * - * This module provides run-time version information. - */ --#define MBEDTLS_VERSION_C -+//#define MBEDTLS_VERSION_C - - /** - * \def MBEDTLS_X509_USE_C -@@ -3616,7 +3616,7 @@ - * Module: library/xtea.c - * Caller: - */ --#define MBEDTLS_XTEA_C -+//#define MBEDTLS_XTEA_C - - /** \} name SECTION: mbed TLS modules */ -